Beats – ELK
Beats
Beats are lightweight data shipping agents installed on machines to send data to logstash or elasticsearch. Beats installed on multiple machines help to centralize data for analysis. It is also possible to ship data to hosted elasticsearch. Filebeat, Metricbeat, Packetbeat, Winlogbeat, Auditbeat and Hearbeat are the members of beat family.
Winlogbeat
Winlogbeat is used to ship data from Windows machines to Elasticsearch or Logstash
Installation
Download the Winlogbeat zip file from elastic.co
Extract the contents into C:\Program Files.
Rename the winlogbeat-<version> directory to Winlogbeat.
Open a PowerShell prompt as an Administrator
PS C:\Users\Administrator> cd 'C:\Program Files\Winlogbeat' PS C:\Program Files\Winlogbeat> .\install-service-winlogbeat.ps1 Security warning Run only scripts that you trust. While scripts from the internet can be useful, this script can potentially harm your computer. If you trust this script, use the Unblock-File cmdlet to allow the script to run without this warning message. Do you want to run C:\Program Files\Winlogbeat\install-service-winlogbeat.ps1? [D] Do not run [R] Run once [S] Suspend [?] Help (default is "D"): R Status Name DisplayName ------ ---- ----------- Stopped winlogbeat winlogbeat
Before starting Winlogbeat, the configuration file for winlogbeat is winlogbeat.yml that is available in the extracted folder, for example C:\Program Files\Winlogbeat\winlogbeat.yml. There’s also a full example configuration file called winlogbeat.reference.yml that shows all non-deprecated options.
Configure Winlogbeat
To configure Winlogbeat, you edit the winlogbeat.yml configuration file.
Here is a sample of the winlogbeat.yml file:
winlogbeat.event_logs: - name: Application - name: Security - name: System output.elasticsearch: hosts: - localhost:9200 logging.to_files: true logging.files: path: C:/ProgramData/winlogbeat/Logs logging.level: info
To configure Winlogbeat:
In the event_logs section, specify the event logs that you want to monitor. By default, Winlogbeat is set to monitor application, security, and system logs:
winlogbeat.event_logs: - name: Application - name: Security - name: System
If you are sending output directly to Elasticsearch (and not using Logstash), set the IP address and port where Winlogbeat can find the Elasticsearch installation:
output.elasticsearch: hosts: - localhost:9200
If you are sending output to Logstash
output.logstash: hosts: ["127.0.0.1:5044"]
If you plan to use the sample Kibana dashboards provided with Winlogbeat, configure the Kibana endpoint:
setup.kibana: host: "localhost:5601"
Where host is the hostname and port of the machine where Kibana is running, for example, localhost:5601.
If you specify a path after the port number, you need to include the scheme and port: http://localhost:5601/path.
If you’ve secured Elasticsearch and Kibana, you need to specify credentials.
output.elasticsearch: hosts: ["elasticsearchhost:9200"] username: "user" password: "password" setup.kibana: host: "kibanahost:5601" username: "user" password: "password"
After you save your configuration file, test it with the following command.
PS C:\Program Files\Winlogbeat> .\winlogbeat.exe test config -c .\winlogbeat.yml -e
Winlogbeat can be used to load an index template for elasticsearch. The is a default template file for Winlogbeat is installed by the Winlogbeat packages. If you accept the default configuration in the winlogbeat.yml config file, Winlogbeat loads the template automatically after successfully connecting to Elasticsearch.
Once the configuratio is done you can start the “winlogbeat” service from Window’s services console.
By default logs are stored in the C:\ProgramData\winlogbeat\Logs folder. Open winlogbeat file to see the log details
2018-04-04T08:02:44+03:00 INFO Home path: [C:\ProgramData\winlogbeat-6.1.1-windows-x86_64] Config path: [C:\ProgramData\winlogbeat-6.1.1-windows-x86_64] Data path: [C:\\ProgramData\\winlogbeat] Logs path: [C:\\ProgramData\\winlogbeat\logs] 2018-04-04T08:02:44+03:00 INFO Metrics logging every 30s 2018-04-04T08:02:44+03:00 INFO Beat UUID: db80f896-0169-45bb-ac63-84946a2c11a3 2018-04-04T08:02:44+03:00 INFO Setup Beat: winlogbeat; Version: 6.1.1 2018-04-04T08:02:44+03:00 INFO Beat name: MYHOSTNAME 2018-04-04T08:02:44+03:00 INFO State will be read from and persisted to C:\ProgramData\winlogbeat\.winlogbeat.yml 2018-04-04T08:02:44+03:00 INFO winlogbeat start running. 2018-04-04T08:02:46+03:00 INFO EventLog[Security] successfully published 45 events 2018-04-04T08:02:56+03:00 INFO EventLog[Security] successfully published 18 events 2018-04-04T08:02:57+03:00 INFO EventLog[Security] successfully published 5 events 2018-04-04T08:02:59+03:00 INFO EventLog[Security] successfully published 2 events 2018-04-04T08:03:01+03:00 INFO EventLog[Security] successfully published 4 events
Login to Kibana console to view the shipped logs